Aug 22 2016

FDIC Plans to Bolster Cybersecurity Following Breaches, with DHS Help

The agency says it will sign up for the Department of Homeland Security’s Einstein intrusion detection system.

The Federal Deposit Insurance Corp. is seeking to improve its cybersecurity posture and plans to join the Department of Homeland Security’s Einstein defense system. The announcement comes in the wake of a series of highly publicized data breaches within the FDIC.

“Information security is critical to the FDIC’s ability to carry out its mission of maintaining stability and public confidence in the nation's financial system,” the agency said in an Aug. 9 statement on its website. “The FDIC will remain alert and continue to adjust our security controls in light of the changing threat landscape.”

The FDIC said it is committed to making the public aware of changes to its cybersecurity program and will provide regular updates.

As part of its updated security program, the agency said it “signed a memorandum of understanding to migrate to an intrusion prevention, detection, and monitoring system from the Department of Homeland Security that will help detect and block outside cyber threats.”

Upgrading Cybersecurity on Multiple Fronts

DHS’ National Cybersecurity Protection System, the formal name for Einstein, compares network traffic with known patterns of malicious data, or signatures. Einstein 3A, the latest iteration of the system, uses classified information to detect and block threats by keeping out all traffic that is on its “watch list” of known vulnerabilities. The system is used to protect federal civilian executive branch agencies.

Although the Einstein system has come under criticism for not being comprehensive enough in its ability to block cyberattacks, DHS has championed the program. In January, DHS Secretary Jeh Johnson issued a statement defending Einstein, noting that it “has the ability to actively block — not just detect — potential cyberattacks. Unlike commercial products, EINSTEIN 3A can rely upon classified information, so the government is protected against our most sophisticated adversaries.”

The FDIC “has begun an active engagement with [DHS] to implement Einstein," agency spokeswoman Barbara Hagenbaugh told FedScoop.

In addition to working with DHS on getting protection from Einstein, the FDIC said it has expanded its use of multifactor authentication for downloading assessment invoices and official correspondence.

The agency has also discontinued its users’ ability to copy information to removable media, such as external hard drives and thumb drives, which were blamed for the breaches.

The FDIC is working with consultants at Booz Allen Hamilton to conduct an end-to-end assessment of the agency’s IT security and privacy programs, according to FedScoop and Federal News Radio.

An FDIC spokesperson told Federal News Radio that the agency is exploring the use of digital rights management technology, which would let it know if information removed from its systems is copied.

“The FDIC has been exploring the use of DRM technology to better protect unstructured information from unauthorized access,” the spokesperson said. “If implemented, DRM would be implemented initially on a small scale to pilot the technology, and expanded and adjusted as we have more experience with the technology. If DRM is implemented, we would ensure it is integrated well with other information protection technologies that already exist at the FDIC.”

Bouncing Back from Breaches

As a result of the breaches at the FDIC, the personal banking data of about 160,000 individuals was removed from the agency by employees who were leaving. The breaches occurred in at least seven separate incidents when departing employees copied their own personal information to removable thumb drives, and, according to the agency, inadvertently copied customer banking data at the same time.

The FDIC inspector general in July opened criminal investigations into “several” data breaches at the agency that related to the removal of sensitive banking information on removable media.

The FDIC said it has already taken steps to bolster its defenses, including encrypting some of its most sensitive information, using encrypted computer notebook hard drives, and putting in place a data loss prevention program that monitors information in emails, information being transferred to websites and information that is printed.

Further, the agency said it requires employees to take annual security and privacy training so they are aware of its security standards, and that the training is supplemented by periodic phishing tests to help ensure employees stay on guard against possible outside security threats.

There are several steps agencies can take to defend themselves against the kind of breaches that hit the FDIC. They include conducting audits and inventories of the data they have on hand; ensuring that official agency data is not comingled with employees’ personal data; archiving or deleting information the agency no longer needs to keep; training employees on security policies designed to protect data integrity; and making sure employees comply with security policies.